From owner-p4-projects  Mon Jun 10 18:14:36 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id B2FF537B409; Mon, 10 Jun 2002 18:14:22 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id C634037B40A
	for <perforce@freebsd.org>; Mon, 10 Jun 2002 18:14:21 -0700 (PDT)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g5B1ELB77145
	for perforce@freebsd.org; Mon, 10 Jun 2002 18:14:21 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Mon, 10 Jun 2002 18:14:21 -0700 (PDT)
Message-Id: <200206110114.g5B1ELB77145@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 12677 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12677

Change 12677 by rwatson@rwatson_paprika on 2002/06/10 18:14:21

	When VAPPEND was introduced, the ACL evaluation code wasn't
	updated to map ACL_WRITE into VAPPEND rights.  Fix that.
	
	Submitted in large part by:	ilmar

Affected files ...

... //depot/projects/trustedbsd/mac/sys/kern/kern_acl.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_acl.c#7 (text+ko) ====

@@ -90,7 +90,7 @@
 	 */
 #ifndef CAPABILITIES
 	if (suser_cred(cred, PRISON_ROOT) == 0)
-		cap_granted = (VEXEC | VREAD | VWRITE | VADMIN);
+		cap_granted = (VEXEC | VREAD | VWRITE | VADMIN | VAPPEND);
 	else
 		cap_granted = 0;
 #else
@@ -110,9 +110,9 @@
 	    PRISON_ROOT))
 		cap_granted |= VREAD;
 
-	if ((acc_mode & VWRITE) && !cap_check(cred, NULL, CAP_DAC_WRITE,
-	    PRISON_ROOT))
-		cap_granted |= VWRITE;
+	if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) &&
+	    !cap_check(cred, NULL, CAP_DAC_WRITE, PRISON_ROOT))
+		cap_granted |= (VWRITE | VAPPEND);
 
 	if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER,
 	    PRISON_ROOT))
@@ -138,7 +138,7 @@
 			if (acl->acl_entry[i].ae_perm & ACL_READ)
 				dac_granted |= VREAD;
 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
-				dac_granted |= VWRITE;
+				dac_granted |= (VWRITE | VAPPEND);
 			if ((acc_mode & dac_granted) == acc_mode)
 				return (0);
 			if ((acc_mode & (dac_granted | cap_granted)) ==
@@ -190,9 +190,9 @@
 		if (acl_mask->ae_perm & ACL_READ)
 			acl_mask_granted |= VREAD;
 		if (acl_mask->ae_perm & ACL_WRITE)
-			acl_mask_granted |= VWRITE;
+			acl_mask_granted |= (VWRITE | VAPPEND);
 	} else
-		acl_mask_granted = VEXEC | VREAD | VWRITE;
+		acl_mask_granted = VEXEC | VREAD | VWRITE | VAPPEND;
 
 	/*
 	 * Iterate through user ACL entries.  Do checks twice, first
@@ -214,7 +214,7 @@
 			if (acl->acl_entry[i].ae_perm & ACL_READ)
 				dac_granted |= VREAD;
 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
-				dac_granted |= VWRITE;
+				dac_granted |= (VWRITE | VAPPEND);
 			dac_granted &= acl_mask_granted;
 			if ((acc_mode & dac_granted) == acc_mode)
 				return (0);
@@ -247,7 +247,7 @@
 			if (acl->acl_entry[i].ae_perm & ACL_READ)
 				dac_granted |= VREAD;
 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
-				dac_granted |= VWRITE;
+				dac_granted |= (VWRITE | VAPPEND);
 			dac_granted  &= acl_mask_granted;
 
 			if ((acc_mode & dac_granted) == acc_mode)
@@ -265,7 +265,7 @@
 			if (acl->acl_entry[i].ae_perm & ACL_READ)
 				dac_granted |= VREAD;
 			if (acl->acl_entry[i].ae_perm & ACL_WRITE)
-				dac_granted |= VWRITE;
+				dac_granted |= (VWRITE | VAPPEND);
 			dac_granted  &= acl_mask_granted;
 
 			if ((acc_mode & dac_granted) == acc_mode)
@@ -295,7 +295,7 @@
 				if (acl->acl_entry[i].ae_perm & ACL_READ)
 					dac_granted |= VREAD;
 				if (acl->acl_entry[i].ae_perm & ACL_WRITE)
-					dac_granted |= VWRITE;
+					dac_granted |= (VWRITE | VAPPEND);
 				dac_granted &= acl_mask_granted;
 
 				if ((acc_mode & (dac_granted | cap_granted)) !=
@@ -316,7 +316,7 @@
 				if (acl->acl_entry[i].ae_perm & ACL_READ)
 					dac_granted |= VREAD;
 				if (acl->acl_entry[i].ae_perm & ACL_WRITE)
-					dac_granted |= VWRITE;
+					dac_granted |= (VWRITE | VAPPEND);
 				dac_granted &= acl_mask_granted;
 
 				if ((acc_mode & (dac_granted | cap_granted)) !=
@@ -347,7 +347,7 @@
 	if (acl_other->ae_perm & ACL_READ)
 		dac_granted |= VREAD;
 	if (acl_other->ae_perm & ACL_WRITE)
-		dac_granted |= VWRITE;
+		dac_granted |= (VWRITE | VAPPEND);
 
 	if ((acc_mode & dac_granted) == acc_mode)
 		return (0);

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message